Today a user decided to have a "strong emotion" by opening a very strange zipped attachment received in his mailbox and I try to immagine his disappointmet when he noticed that nothing happened. Then he decided to call me informing that MAYBE something wrong has been done....

the good: my firewall detected the outgoing request of the malware trying to access a botnet and blocked it immediately.

tha bad: Sad to see that this funny piece of software passed :

1) the AV module of my firewall appliance ( AVG engine)

2) the APT module of my firewall appliance (detected as Zero days malware apt but with disposition ALLOWED by standard behaviour)

3) the AV module of my mail server ( Sophos)

4) the endpoint AV (webroot)

So, after all ,not that big headache. A scan with malwarebytes did the trick (after one hour also webroot was able to detect it) and now no more botnet hits from that endpoint IP...just realizing how smart are these guys.

They can basically submit their malware to a service to jumble and "crypt" their malware over and over, test it against different AV until its undetected, then send it back to them to distribute. It's totally automated at this point, bad actors can send out fully undetectable versions of the same malware on a daily basis if they want to. There's always going to be something that gets through all your filters, unfortunately.

I stopped mine, and everyone else here for that matter, from being able to install anything. It took a little getting used to, but now I don't have to worry about weird emails because they can't execute even if the user does something stupid.

They can basically submit their malware to a service to jumble and "crypt" their malware over and over, test it against different AV until its undetected, then send it back to them to distribute. It's totally automated at this point, bad actors can send out fully undetectable versions of the same malware on a daily basis if they want to. There's always going to be something that gets through all your filters, unfortunately.

I've seen this as well. No matter how well your "layers" of defense are, there will always be a vulnerability waiting to be exploited on the end user. That's why backups are a necessity these days with ransomware.